For hardware firewall you'll have to find a competent host like Todo10 or buy a dedicated server and pay an extra so your hosting can install it.
As regarding the proxy server that will require a sysadmin to do it for you
You don't need a dedicated server or hardware firewall or proxy or any such nonsense. That's absolutely silly.
Any good host with DDoS protection, or CloudFlare should be able to knock this down for you without any difficulty.
Either the attacker knows the real IP of your server, in which case follow the advice of @ozzy47 or you have CloudFlare configured improperly. You are paying big bucks for CloudFlare Pro. Their support should be able to help you configure their offering properly.
Probably not since it looks like a Layer 7 attack that just doesn't get filtered by Cloudflare. Without any configuration Cloudflare plans below Business don't help you that much, you should look into the WAF which has some Anti DDoS rules that you can enable and as already mentioned the under attack mode.